CVE-2009-1191: mod_proxy_ajp information disclosure vulnerability

[Vincent Danen <vdanen () redhat com>]

This is just a heads up about an information disclosure vulnerability in
mod_proxy_ajp, similar to the issue in mod_jk (CVE-2008-5519).

This only affects mod_proxy_ajp in httpd 2.2.11; prior versions do not
have this problem.  The issue was caused by the following patch:

http://svn.apache.org/viewvc?view=rev&revision=711779

The patch that will be applied to httpd 2.2.12 is here:

http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff

More information can be found in our bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1191

This would only affect earlier versions of Apache if you had backported
the problem patch to earlier versions.

--
Vincent Danen / Red Hat Security Response Team